Tolerance is not enforced during a flash governance decision #306
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Handle
shw
Vulnerability details
Impact
Most of the functions with a
governanceApproved
modifier callflashGoverner.enforceTolerance
to ensure the provided parameters are restricted to some range of their original values. However, in thegovernanceApproved
modifier,flashGoverner.setEnforcement(true);
is called after the function body is executed, and thus the changed values are not restricted during the function execution.An attacker can exploit this bug to change some critical parameters to arbitrary values by flash governance decisions. The effect will last until the community executes another proposal to correct the values. In the meanwhile, the attacker may make use of the corrupted values to launch an attack.
Proof of Concept
adjustSoul
function ofLimbo
, and sets thefps
of a soul to an extremely large value.FlashGovernanceArbiter
contract.claimReward
to get his rewards on the corresponding soul (assume that he has staked some number of the token before). Because of the manipulatedfps
, he gets a large number of Flan tokens as the reward.Referenced code:
DAO/Governable.sol#L46-L57
Limbo.sol#L380-L381
Limbo.sol#L327-L329
Limbo.sol#L530
Limbo.sol#L628-L630
Recommended Mitigation Steps
Rewrite the
_governanceApproved
function and thegovernanceApproved
modifier as follows:The text was updated successfully, but these errors were encountered: